Results 1 to 10 of 10

Thread: [RESOLVED] Determine If User Account Has Password

  1. #1

    Thread Starter
    Wait... what? weirddemon's Avatar
    Join Date
    Jan 2009
    Location
    USA
    Posts
    3,826

    Resolved [RESOLVED] Determine If User Account Has Password

    I need to be able to validate the windows password of the account that is currently logged in. I've managed to do this when the unit has a password. But if it does not have a password, passing an empty string does not work. It fails each time.

    I've been looking around, but haven't been able to find much on this. Does anyone know how to determine if the user password is empty?

    Below is the API I'm using. But I don't think it will be used for this.

    VB.NET Code:
    1. Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, _
    2.                                                                 ByVal dwLogonType As LogonType, ByVal dwLogonProvider As Integer, ByRef phToken As IntPtr) As Integer
    CodeBank contributions: Process Manager, Temp File Cleaner

    Quote Originally Posted by SJWhiteley
    "game trainer" is the same as calling the act of robbing a bank "wealth redistribution"....

  2. #2
    Frenzied Member MattP's Avatar
    Join Date
    Dec 2008
    Location
    WY
    Posts
    1,227

    Re: Determine If User Account Has Password

    This pattern in common to all great programmers I know: they're not experts in something as much as experts in becoming experts in something.

    The best programming advice I ever got was to spend my entire career becoming educable. And I suggest you do the same.

  3. #3
    I'm about to be a PowerPoster! Joacim Andersson's Avatar
    Join Date
    Jan 1999
    Location
    Sweden
    Posts
    14,649

    Re: Determine If User Account Has Password

    Normally the Windows Security System does not allow you to dynamically log on to the system if the user lacks a password. If you just want to check if the password the user has entered is correct (and not that you want to use the returned security token) then you can simply check if the System.Runtime.InteropService.Marshal.GetLastWin32Error is equal to ERROR_ACCOUNT_RESTRICTION (=1327) in which case the call to LogonUser failed because the user password is empty.

    The only way to make LogonUser work with empty passwords is to set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key to 0 which removes the LimitBlankPasswordUse restriction but this will create a huge security hole in the system and I do not recommend it.

  4. #4

    Thread Starter
    Wait... what? weirddemon's Avatar
    Join Date
    Jan 2009
    Location
    USA
    Posts
    3,826

    Re: Determine If User Account Has Password

    Quote Originally Posted by Joacim Andersson View Post
    Normally the Windows Security System does not allow you to dynamically log on to the system if the user lacks a password. If you just want to check if the password the user has entered is correct (and not that you want to use the returned security token) then you can simply check if the System.Runtime.InteropService.Marshal.GetLastWin32Error is equal to ERROR_ACCOUNT_RESTRICTION (=1327) in which case the call to LogonUser failed because the user password is empty.

    The only way to make LogonUser work with empty passwords is to set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key to 0 which removes the LimitBlankPasswordUse restriction but this will create a huge security hole in the system and I do not recommend it.
    Hm... that's an interesting idea. So you're saying I should use my process as normal, but if an empty string is passed as the password, check if the GetLastWin32Error returns ERROR_ACCOUNT_RESTRICTION? If it does, then the logon failed.

    Which sounds like it would work, but wouldn't that be thrown if the logon failed, regardless whether or not the user has a password? So if I used this method, if the computer had a password but an empty string was passed, it would assume that the password is empty. That would cause a lot of problems. Unless of course I'm understanding this incorrectly.
    CodeBank contributions: Process Manager, Temp File Cleaner

    Quote Originally Posted by SJWhiteley
    "game trainer" is the same as calling the act of robbing a bank "wealth redistribution"....

  5. #5
    I'm about to be a PowerPoster! Joacim Andersson's Avatar
    Join Date
    Jan 1999
    Location
    Sweden
    Posts
    14,649

    Re: Determine If User Account Has Password

    No, you wouldn't get the account restriction error if you just tried to logon with the wrong password.

  6. #6

    Thread Starter
    Wait... what? weirddemon's Avatar
    Join Date
    Jan 2009
    Location
    USA
    Posts
    3,826

    Re: Determine If User Account Has Password

    Quote Originally Posted by Joacim Andersson View Post
    No, you wouldn't get the account restriction error if you just tried to logon with the wrong password.
    Gotcha. I won't really get a chance to check it out until Monday. Thanks for the help.
    CodeBank contributions: Process Manager, Temp File Cleaner

    Quote Originally Posted by SJWhiteley
    "game trainer" is the same as calling the act of robbing a bank "wealth redistribution"....

  7. #7
    I'm about to be a PowerPoster! Joacim Andersson's Avatar
    Join Date
    Jan 1999
    Location
    Sweden
    Posts
    14,649

    Re: Determine If User Account Has Password

    Go ahead and test in on Monday and when it works (which it will ) make sure to come back and mark this thread as resolved.

  8. #8

    Thread Starter
    Wait... what? weirddemon's Avatar
    Join Date
    Jan 2009
    Location
    USA
    Posts
    3,826

    Re: Determine If User Account Has Password

    Quote Originally Posted by Joacim Andersson View Post
    Go ahead and test in on Monday and when it works (which it will ) make sure to come back and mark this thread as resolved.
    Are you sure it's 127? I ran it and consistently got 6.

    VB.NET Code:
    1. Private Sub btnTest_Click(sender As System.Object, e As System.EventArgs) Handles btnTest.Click
    2.         If Me.IsNTPasswordValid(String.Empty) Then
    3.             Me.DialogResult = Windows.Forms.DialogResult.OK
    4.             Me.Close()
    5.         Else
    6.             If Marshal.GetLastWin32Error() = 1327 Then
    7.                 MessageBox.Show("pass")
    8.             Else
    9.                 MessageBox.Show(Marshal.GetLastWin32Error.ToString)
    10.             End If
    11.         End If
    12.     End Sub
    13.  
    14.  
    15.     Public Function IsNTPasswordValid(ByVal Password As String) As Boolean
    16.         Dim Token As New IntPtr
    17.         LogonUser(Environment.UserName, Environment.UserDomainName, Password, LogonType.LOGON32_LOGON_INTERACTIVE, 0, Token)
    18.         CloseHandle(Token)
    19.         If Token.ToInt32 <> 0 Then Return True Else Return False
    20.     End Function
    21.  
    22.     Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, _
    23.                                                                 ByVal dwLogonType As LogonType, ByVal dwLogonProvider As Integer, ByRef phToken As IntPtr) As Integer
    24.     Private Declare Auto Function CloseHandle Lib "kernel32.dll" (ByVal hObject As IntPtr) As Boolean
    25.  
    26.     Private Enum LogonType As Integer
    27.         LOGON32_LOGON_INTERACTIVE = 2
    28.         LOGON32_LOGON_NETWORK = 3
    29.         LOGON32_LOGON_BATCH = 4
    30.         LOGON32_LOGON_SERVICE = 5
    31.         LOGON32_LOGON_UNLOCK = 7
    32.         LOGON32_LOGON_NETWORK_CLEARTEXT = 8
    33.         LOGON32_LOGON_NEW_CREDENTIALS = 9
    34.     End Enum

    *Edit: Also, that's not good because I get that error code regardless of the computer has a password.
    Last edited by weirddemon; Apr 23rd, 2012 at 03:55 PM.
    CodeBank contributions: Process Manager, Temp File Cleaner

    Quote Originally Posted by SJWhiteley
    "game trainer" is the same as calling the act of robbing a bank "wealth redistribution"....

  9. #9
    I'm about to be a PowerPoster! Joacim Andersson's Avatar
    Join Date
    Jan 1999
    Location
    Sweden
    Posts
    14,649

    Re: Determine If User Account Has Password

    You're doing the error checking a bit late since you call CloseHandle after the call to LogonUser. CloseHandle can very well change the error number, which it most likely do if LogonUser fails you don't get a handle to close and when you try to do that the CloseHandle will fail and set its own error number. You should check the GetLastWin32Error value directly after the call to LogonUser.

  10. #10

    Thread Starter
    Wait... what? weirddemon's Avatar
    Join Date
    Jan 2009
    Location
    USA
    Posts
    3,826

    Re: Determine If User Account Has Password

    Quote Originally Posted by Joacim Andersson View Post
    You're doing the error checking a bit late since you call CloseHandle after the call to LogonUser. CloseHandle can very well change the error number, which it most likely do if LogonUser fails you don't get a handle to close and when you try to do that the CloseHandle will fail and set its own error number. You should check the GetLastWin32Error value directly after the call to LogonUser.
    Ah. Gotcha.

    Thanks, that did it.
    CodeBank contributions: Process Manager, Temp File Cleaner

    Quote Originally Posted by SJWhiteley
    "game trainer" is the same as calling the act of robbing a bank "wealth redistribution"....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width